Not a critical flaw, but it is commonly found on web UI applications – VMware vRealize log Insight (CVE-2021-22021) – 24-8-2021

Preface: Log event collection without data normalization , it is hard to managed. And you will be crazy. If you do not have log event aggregation and correlation functions. Your IT life will become not easy.

Background: vRealize Log Insight delivers indexing and machine learning based Intelligent Grouping, to enable searching, for faster troubleshooting across physical, virtual and cloud environments.

Security Requirements recommended by vendor on the user guide. (Log-insight-getting-start-guide).
To ensure that your virtual environment is protected from external attacks, you must observe certain rules.
– Always install vRealize Log Insight in a trusted network.
– Always save vRealize Log Insight support bundles in a secure location.

Vulnerability details: VMware vRealize Log Insight contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. An attacker with user privileges may be able to inject a malicious payload via the Log Insight UI which would be executed when the victim accesses the shared dashboard link.

Reference: Input validation is the first step of checking the type and content of data supplied by a user or application. Improper input validation is a major factor in many web security vulnerabilities, including cross-site scripting (XSS) and SQL injection.

Remediation: Official announcement by vendor – https://www.vmware.com/security/advisories/VMSA-2021-0019.html

Another flaw prompted an urgent U.S. government warning and providing Guidance (Azure Cosmos DB) – 29th Aug 2021

Preface: Data scientists are big data wranglers, gathering and analyzing large sets of structured and unstructured data. Jupyter Notebooks allow data scientists to create and share their documents, from codes to full blown reports (Help them streamline their work).

Background: Azure Cosmos DB built-in Jupyter Notebooks are directly integrated into the Azure portal and Azure Cosmos DB accounts, let data scientists easy to use. The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. Uses include: data cleaning and transformation, numerical simulation, statistical modeling, data visualization, machine learning, and much more.

Speculation related to this matter: A trojan malware campaign found November last year (2020) is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.

Vulnerability details: A misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. In the first step, the attacker will gained access to the client’s Cosmos DB primary key. For example, exploit the vulnerability on Jupyter Notebook (virtual machine) to get the key.

Ref: Primary keys are long-lived and allow full READ/WRITE/DELETE access to customer data.

Workaround: Navigate to your Azure Cosmos DB account on the Azure portal and Regenerate Secondary Key. Please refer to url for details – https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys

CISA announcement – https://us-cert.cisa.gov/ncas/current-activity/2021/08/27/microsoft-azure-cosmos-db-guidance

VMware security update (25th AUg 2021)

Preface: VMware has released a security update on August 24, 2021 to address vulnerabilities in multiple products. In addition, the risk level of these vulnerabilities is between 4.4-8.6 (CVSS-V3). So it attracted my interest in reading it.

Background: The vRealize Operations Manager API Programming Guide provides information about the vRealize Operations Manager REST APIs, including how to use the REST API resources, authenticate, and construct REST API calls.

Our focus on this time is (CVE-2021-22025). The flaw is that it allow an unauthenticated malicious actor with network access to the vRealize Operations Manager API. the risk rating is CVSSv3 base score of 8.6. Furthermore the article mentioned that it can add new nodes to existing vROps cluster when hack successful. Per my idea, all depends on the token type capture by attacker. If it is a privileges user, the access permission is high.

Remark: vROps_token is the token that you obtained from the response in Acquire an Authentication Token

Meanwhile, VMware programming guide had below function ready.
Since token has expire time setting. This setting not by default, but you can do the following. You can invalidate the token before the expiration date and time by sending a POST request to the logout endpoint. For details, please refer to attached diagram for reference.

Vulnerability summary:

Broken access control vulnerability in vRealize Operations Manager API (CVE-2021-22025) – CVSSv3 base score of 8.6.

Arbitrary log-file read vulnerability in vRealize Operations Manager API (CVE-2021-22024) – CVSSv3 base score of 7.5.

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-22026, CVE-2021-22027) – CVSSv3 base score of 7.5.

Insecure direct object reference vulnerability in vRealize Operations Manager API (CVE-2021-22023) – CVSSv3 base score of 6.6.

Arbitrary file read vulnerability in vRealize Operations Manager API (CVE-2021-22022) – CVSSv3 base score of 4.4.

Official announcement (Remediation) – https://www.vmware.com/security/advisories/VMSA-2021-0018.html

If you are the Open Source Platform (Istio) user, please stay alert! 24-9-2021

Preface: Today developers are using Docker to build modules called Microservices, which decentralize packages and divide tasks into separate, stand-alone apps that collaborate with each other.

Background: A sidecar proxy is an application design pattern which abstracts certain features, such as inter-service communications, monitoring and security, away from the main architecture to ease the tracking and maintenance of the application as a whole. Furthermore, the sidecar proxy for each application has all the non-business logic. So, it lets developers can focus on application/service itself not worring about security or monitoring etc. Istio has two components: the data plane and the control plane. The data plane is the communication between services. And the control plane takes your desired configuration, and its view of the services, and dynamically programs the proxy servers, updating them as the rules or the environment changes.

Vulnerability details:

CVE-2021-39156: Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies.

Remedy: Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8.

CVE-2021-39155: Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed.

Remedy: Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8.

Do you know the design weaknesses of Eclipse Cyclone DDS? 23-08-2021

Preface: DDS is used in the following industries.

DDS is used to share Flight data within and across Air Traffic control centers.
DDS is used to Smart Factories to provide horizontal and vertical data integration across the traditional SCADA layers.
DDS used to control the 100.000 mirrors that make up ELT’s optics.

Technical background: DDS applications cooperate by autonomously and asynchronously reading and writing data on a Data Space that provides spatial and temporal decoupling. Eclipse Cyclone DDS is an implementation of the OMG Data Distribution Service (DDS) specification. Eclipse Cyclone DDS offers unique data-sharing capabilities compared to the already existing Eclipse solutions (i.e. for messaging). You can use the code from repositories to experiment, test, build, create patches, issue pull requests, etc.

Example: cyclonedds-python – Project repository hosted on GitHub.

https://github.com/eclipse-cyclonedds/cyclonedds-python

Vulnerability details:

CVE-2020-18735 – A heap buffer overflow in [/]src[/]dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/501

CVE-2020-18734 – A stack buffer overflow in [/]ddsi[/]q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/476

CISA cyber Security Alert – About the May 2021 MS patch (21st Aug, 2021)

Preface: With Exchange Server vNext, Microsoft is phasing out the on-premise delivery model, making Exchange Server 2019 the last on-premise product version.

Point of view: Perhaps quite a lot of people will be surprised of this notification. Since more and more organizations has been migrated the mail server to office 365. The patch issued on May 2021 was applied already. But the patch management from small to medium firm not easy to managed. It is quite common that a one I.T. technical support person supporting everything. It is unbelievable but it is factual. You can see a lot of large size mailbox not being managed. Furthermore, the patch management may not do it immediately. It wait for their schedule time window to do the patch management. As a result, before they conduct patch management. Attacker may landed to their email server. Apart of lack of SIEM facility, only relies on a single firewall is hard to defense such vulnerability attack. Or you will say, will the local OS antivirus can be do the detection. The answer is that if the antivirus feature do not involve to content security filter function. Therefore the attack might have chance to do the evasion . I believe that CISA on their malware sink hole infrastructure will see the details. And this is the objective of this alert.

Ref: Apart from design weakness (vulnerability). The modern architecture is virtual machine infrastructure. It is not rare that the exchange server front-end and back-end are located in same hardware box because we are living in virtual machine world. So if such vulnerability occur in an on premise infrastructure. The risk will be rapidly increase.

Vulnerability details: Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities:
CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. Details can be found in the following link (CISA official announcement) – https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell

There’s no best of both sides – CVE-2021-25218: BIND 9.16.19 and 9.17.16 triggered denial of service when applied too-strict assertion check. (19th Aug, 2021)

Preface: (BIND) is the most popular Domain Name System (DNS) server in use today. It was developed in the 1980s at the University of Berkley
and is currently in version 9.

Technical Background: For IPv4 packets, Path MTU Discovery works by setting the Don’t Fragment (DF) flag bit in the IP headers of outgoing packets. Some operating systems allow packets received via other protocols to affect PMTUD values for DNS over UDP.

Set “Don’t fragment” flag in IP header:
It is often useful to avoid fragmentation, since apart from CPU utilization for fragmentation and re-assembly, it may affect throughput (if lost fragments need re-transmission). For this reason, it is often desirable to
know the maximum transmission unit. So the ‘Path MTU discovery’ is used to find this size, by simply setting the DF bit.

Vulnerability Details: An attacker may abuse the Path MTU discovery (PMTUD) protocol to trick bind into exceeding the interface MTU. Response Rate Limiting (RRL) is not enabled by default for user defined views nor the builtin one, but it is enabled by default for the default builtin CHAOS class view, which bind uses to provide various information. From technical point of view, CH class is misused by BIND!

For details of vulnerability, please refer to link – https://kb.isc.org/v1/docs/h

As an end user, are you concerned about the CVE-2021-28372 vulnerability? 17th Aug 2021

Preface: The Kalay platform contains a major vulnerability that will allow hackers to remotely access IoT devices.

Background: Kalay Platform 2.0
This newly developed decentralized structure simplifies the role of the primary server to work as an intermediary transmitter,
which reduces the chances of a server being compromised or data being intercepted. Kalay 2.0 is designed using a two-factor UID
and end-to-end encryption to support multi-factor authentication and dynamic key-pairing, the new solution ensures protection
for the end-user’s data and transmission.

It will trigger the vulnerability in the following situations.

  • The device firmware that does not use AuthKey when IOTC is connected.
  • The firmware that uses the AVAPI module but the
    DTLS mechanism is not enabled.
  • The firmware that uses the RDT module or P2PTunnel.

Basically, when vendor conducted its own security review in 2018, the vulnerability was discovered and patched, that is, the SDK version 3.1.10 released at that time has been patched.

However security consulting company “Fireye” discovered that some network surveillance cameras have security vulnerabilities, and these devices are still using the old version of TUTK SDK before 3.1.4. Therefore, the CVE-2021-32934 vulnerability was announced.

Vulnerability details:

CISA encourages users and administrators to review the ICS Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01

FireEye Mandiant blog: https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html

CISA Urges Beware of BlackBerry (QNX RTOS) Vulnerabilities – 17th Aug 2021

Preface: BlackBerry OS was discontinued after the release of BlackBerry 10. BlackBerry 10 is based on QNX, a Unix-like operating system that was originally developed by QNX Software Systems until the company was acquired by BlackBerry in April 2010. It supports the application framework Qt (version 4.8) and in some later models features an Android runtime to run Android applications.

Background: The runtime library is that library that is automatically compiled in for any C program you run. The version of the library you would use depends on your compiler, platform, debugging options, and multithreading options.

The calloc() in C is a function used to allocate multiple blocks of memory having the same size. It is a dynamic memory allocation function that allocates the memory space to complex data structures such as arrays and structures and returns a void pointer to the memory.

The free() function frees the memory space pointed to by ptr, which must have been returned by a previous call to malloc(), calloc() or realloc(). Otherwise, or if free(ptr) has already been called before, undefined behavior occurs.

Vulnerability details : An integer overflow vulnerability in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX Software Development Platform (SDP)version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety1.0.1 earlier that could potentially allow a successful attacker to perform a denial of service orexecute arbitrary code. BlackBerry is not aware of any exploitation of this vulnerability. For more details, please refer to the link below for reference.

Official announcement: https://support.blackberry.com/kb/articleDetail?articleNumber=000082334

CISA alert: https://us-cert.cisa.gov/ncas/alerts/aa21-229a

Headline News: https://www.zdnet.com/article/cisa-releases-alert-on-badalloc-vulnerability-in-blackberry-products/

CVE-2021-38197 – vulnerability encountered in “go-unarr”. Not suggest to use until it fix. (16th Aug, 2021)

Preface: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language. The design goal of the decompression library is for embedded devices, because the flash memory capacity is limited and the processing speed is slow.

Background: Package unarr is a decompression library for RAR, TAR, ZIP and 7z archives.

Vulnerability details: Vulnerability occurred in unarr, which will lead to path traversal vulnerability. What is traversal attack? A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.

Use the “go unarr” tool to decompress the malicious zip file. It will decompress the malicious file simultaneously. However, if you use other tools, such as tar. The malicious folder cannot be decompressed to the destination.By triggering the path traversal vulnerability, an attacker can store any file in any privileged place (which means that remote code execution can be caused under root privileges).

Workaround: No

Affected version: unarr 0.1.1

Remedy: Not yet announcement. Therefore not suggest to use until it fixed.